Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1313

User with slash or backslash char in LDAP name cannot log in through security-realm

    XMLWordPrintable

Details

    • Hide

      1. Start LDAP server which uses attached users.ldif
      2. Add these to EAP configuration file

      • Security realm - "ldap-realm"
      • Outbound-connection - ldap - "ldap-connection"
      <management>

	....

	<security-realms>

	....

	    <security-realm name="ldap-realm">
		<authentication>
		    <ldap connection="ldap-connection" base-dn="ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org">
			<advanced-filter filter="(uid={0})"/>
		    </ldap>
		</authentication>
	    </security-realm>
	</security-realms>
	<outbound-connections>
	    <ldap name="ldap-connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
	</outbound-connections>

	....

</management>

      Change ManagementRealm in <management-interfaces>

      <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">

      to our ldap-realm

      <http-interface security-realm="ldap-realm" http-upgrade-enabled="true">

      3. Try to log in to management localhost:9990

      • jduke with Password1 -> OK
      • Slash/Char with Password1 -> NOK (but it would be OK)
      • Back\Slash with Password1 -> NOK (but it would be OK)
      Show
      1. Start LDAP server which uses attached users.ldif 2. Add these to EAP configuration file Security realm - "ldap-realm" Outbound-connection - ldap - "ldap-connection" <management> .... <security-realms> .... <security-realm name= "ldap-realm" > <authentication> <ldap connection= "ldap-connection" base-dn= "ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org" > <advanced-filter filter= "(uid={0})" /> </ldap> </authentication> </security-realm> </security-realms> <outbound-connections> <ldap name= "ldap-connection" url= "ldap: //localhost:10389" search-dn= "uid=admin,ou=system" search-credential= "secret" /> </outbound-connections> .... </management> Change ManagementRealm in <management-interfaces> <http- interface security-realm= "ManagementRealm" http-upgrade-enabled= " true " > to our ldap-realm <http- interface security-realm= "ldap-realm" http-upgrade-enabled= " true " > 3. Try to log in to management localhost:9990 jduke with Password1 -> OK Slash/Char with Password1 -> NOK (but it would be OK) Back\Slash with Password1 -> NOK (but it would be OK)

    Description

      According to LDAP specification [1], DN can contain slash char without escaping or escaped backslash, etc.

      I am not able to log in to management console with username "Slash/Char" or "Back\Slash". But I would be able to log in there.

      I can see this in Wireshark
      Slash/Char

      LDAPMessage bindRequest(1) ""uid=Slash/Char",ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org" simple
LDAPMessage bindResponse(1) invalidDNSyntax (Incorrect DN given : "uid=Slash/Char",ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org (0x22 0x75 0x69 0x64 0x3D 0x53 0x6C 0x61 0x73 0x68 0x2F 0x43 0x68 0x61 0x72 0x2

      You can see there quotation marks around uid=Slash/Char.

      Back\Slash

      LDAPMessage bindRequest(1) "uid=Back\\\Slash,ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org" simple
LDAPMessage bindResponse(1) invalidDNSyntax (Incorrect DN given : uid=Back\\\Slash,ou=People,o=LdapRealmSpecialNameManualTest7d339efa,o=primary,dc=jboss,dc=org (0x75 0x69 0x64 0x3D 0x42 0x61 0x63 0x6B 0x5C 0x5C 0x5C 0x53 0x6C 0x61 0x73 0x6

      You can see there three backslash chars.

      In my opinion problem can be somewhere around this

      javax.naming.NameImpl.stringifyComp(String comp)

      [1] https://tools.ietf.org/html/rfc2253#section-3

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-2903 (7.4.z) User with slash or backslash char in LDAP name cannot log in through security-realm

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              rhn-engineering-lgao Lin Gao
              hsvabek_jira Hynek Švábek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: